I need to upgrade the protocol to TLSv1.3

I need to upgrade the protocol to TLSv1.3. I followed this manual.
All the certificates I generated with certbot.
There is a paragraph in the above manual

Step 3: edit options-ssl-nginx.conf

I need to edit this file

/etc/letsencrypt/options-ssl-nginx.conf

The content of that file is

# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";

I just changed

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

to

ssl_protocols TLSv1.2 TLSv1.3;

Can we have problems updating certbot in the future?

Newer versions of Certbot already enable TLSv1.3 for you.

If you are stuck on an older version of Certbot for the foreseeable future (e.g. you installed the apt package), there's nothing wrong with modifying the file with the adjustments you need.

Certbot won't undo your changes.

2 Likes

Thank you for the quick reply
Then I don't have to worry and everything will work?
I installed certbot in debian 10 the apt

sudo apt-get update && sudo apt upgrade
sudo apt-get install certbot
sudo apt-get install python-certbot-nginx

certbot 0.31.0

1 Like

Yes, it'll be totally safe to make your change.

Even if you do upgrade Certbot, it will just warn you that the file has been manually modified and that you should update it to the latest available config. But it will keep working.

1 Like

Thank you very much for the answer :wink:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.